[FFmpeg-devel] [PATCH] avformat/hls: Disallow local file access by default

Tobias Rapp t.rapp at noa-archive.com
Wed May 31 18:18:57 EEST 2017


On 31.05.2017 15:42, wm4 wrote:
> On Wed, 31 May 2017 14:49:19 +0200
> Michael Niedermayer <michael at niedermayer.cc> wrote:
>
 >> [...]
 >>
>> Security fixes should be as simple as
>>    possible.
>
> Well, your fix isn't simple. It adds yet another exception with
> questionable effect. It makes it more complex and harder to predict
> what will actually happen, not simpler.
>
>> If people want, I can limit the local file check to the case where
>> the io_open callback is not set?
>> That way user applications which do their own sanitation would not be
>> affected by the check or error message and stay in full control of
>> what access is allowed.
>
> That would have little value and would make it more complex too.
>
> I'd say a good way to make this secure would be disabling the hls
> protocol in builds which are security sensitive.

We already have "protocol_whitelist", --disable-protocol and application 
sandboxing as supported and generic options. I agree with wm4 that some 
special case-handling here just adds complexity.

> In general there doesn't seem to be a good way. Feel free to prove me
> wrong. (I tried something similar, but in addition to the security vs.
> convenience tradeoff, it just didn't work.)

Regards,
Tobias



More information about the ffmpeg-devel mailing list